January 6, 2014

Configure Stateful Firewall

iptables Configuration Files

Contains persisted kernel filtering rules.

$ /etc/sysconfig/iptables

Contains configuration for iptables.

$ /etc/sysconfig/iptables-config

List iptables filtering rules

$ iptables -vnL --line-numbers

options:

  1. v - verbose, if not used you will, e.g. for which interface the rule applies. Every system have atleast two interfaces: loopback and eth0.
  2. n - numeric values
  3. L - list

Basic iptables

iptables divides traffic into 3 catogories: INPUT, FORWARD and OUTPUT.

  1. INPUT. Is for incoming traffic.
  2. FORWARD. Is traffic passing through, typical scenario is a router.
  3. OUTPUT. Is outgoing traffic.

Each category (or formely chain) has a default action (or formely target): ACCEPT, DROP and REJECT is the most common.

Then for each category you define a list of rules. The list is strictly ordered, which means if rule number 3 of 6 matches, the looping of the list is ended and the action is applied, that is defined for rule.

Demo

Lets get started with an open system, where the default action is ACCEPT.

$ iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 7 packets, 508 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
num   pkts bytes target     prot opt in     out     source               destination   

First we accept all incoming traffic to loopback interface.

$ iptables -A INPUT -i lo -j ACCEPT

ACCEPT all already establed/ongoing conversation.

$ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you want to enable PING, add below.

$ iptables -A INPUT -p icmp -j ACCEPT

Accept SSH in port 22, but only from LAN (192.168.122.*)

$ iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 192.168.122.0/24 -j ACCEPT

If you need VNC it is working in port 5900, and accept only connections from LAN (192.168.122.*)

$ iptables -A INPUT -m state --state NEW -p tcp --dport 5900 -s 192.168.122.0/24 -j ACCEPT

Finally we need to add either a REJECT or DROP rule at the end since our default action to ACCEPT incoming traffic.

$ iptables -A INPUT -j REJECT

And the same thing goes for FORWARD.

$ iptables -A FORWARD -j REJECT

If you have above typed some typo, e.g. line number 4, you delete that row with.

$ iptables -D INPUT 4

And if you need to insert a specific rule at specific row, e.g. line number 4.

$ iptables -I INPUT 4 ...

Test

To test your firewall you can for example use nmap. Take notice though that you are not violating any policy when using a port scanning utility.

$ nmap 192.168.122.196

Make persistent

Write rules to /etc/sysconfig/iptables.

$ service iptables save

And if you really want to make sure that the new configuration is loaded restart iptables service.

$ service iptables restart

Log

Logging firewall activity is a great way to debug your configuration. But beware if used on a production machine connected to Internet, you should make room for a big log partition.

I will insert the log action just before mine INPUT REJECT, wich is for me on line 5.

$ iptables -I INPUT 5 -j LOG

Now you can tail the default syslog log.

$ tail -F /var/log/messages

No comments: